UID in subj args - bug?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Jul 6 23:37:23 UTC 2023

On Thu, Jul 06, 2023 at 06:23:46PM -0400, Robert Moskowitz wrote:

> So adding to [ policy_loose ]
> UID                  = optional
> and it works.  Sigh.

Good to hear things work as expected/intended.

> But I still want a list of the types!  For example UID above works. What 
> about Userid?  I misspelled serialNumber (had serialnumber) and it threw 
> that back with an error.  So there IS a list somewhere, even if it is 
> deep in the code.


    Name ::= CHOICE { rdnSequence  RDNSequence }
    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
    RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
    AttributeTypeAndValue ::= SEQUENCE {
      type     AttributeType,
      value    AttributeValue }
    AttributeType ::= OBJECT IDENTIFIER     -- e.g. UID, serialNumber, ...
    AttributeValue ::= ANY -- DEFINED BY AttributeType

    DirectoryString ::= CHOICE {
          teletexString           TeletexString (SIZE (1..MAX)),
          printableString         PrintableString (SIZE (1..MAX)),
          universalString         UniversalString (SIZE (1..MAX)),
          utf8String              UTF8String (SIZE (1..MAX)),
          bmpString               BMPString (SIZE (1..MAX)) }
    The Name describes a hierarchical name composed of attributes, such
    as country name, and corresponding values, such as US.  The type of
    the component AttributeValue is determined by the AttributeType; in
    general it will be a DirectoryString.

So any RDN you choose to include in the subject DN needs an OID and a
value.  The OID can be any of the built-in OID names that are intended
for use in directory names, or a custom OID (specified explicitly or
given a name in configuration file).

The value can be any ASN.1 type, but it really should be a
DirectoryString.  When specifying literal values, you may need to prefix
them with a "UTF8:" qualifier to signal that it is UTF8-encoded when
that's the case.

So any OID at all will do, but of course it should ideally be one that's
recognised as a known type of RDN component by the applications that
process the certificate.  The UID type is inherited from the LDAP world:
https://www.rfc-editor.org/rfc/rfc4519.html#section-2.39, originally
from https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1


    Standard sets of attributes have been defined in the X.500 series of
    specifications [X.520].  Implementations of this specification MUST
    be prepared to receive the following standard attribute types in
    issuer and subject (Section names:
       * country,
       * organization,
       * organizational unit,
       * distinguished name qualifier,
       * state or province name,
       * common name (e.g., "Susan Housley"), and
       * serial number.
    In addition, implementations of this specification SHOULD be prepared
    to receive the following standard attribute types in issuer and
    subject names:
       * locality,
       * title,
       * surname,
       * given name,
       * initials,
       * pseudonym, and
       * generation qualifier (e.g., "Jr.", "3rd", or "IV").
    The syntax and associated object identifiers (OIDs) for these
    attribute types are provided in the ASN.1 modules in Appendix A.

    ... https://datatracker.ietf.org/doc/html/rfc5280#appendix-A

Welcome to the world of X.509 where anything goes, and nobody knows
what's going on...


More information about the openssl-users mailing list